Kubernetes OPA Gatekeeper bypass
Last updated
Last updated
The original author of this page is Guillaume
Having an overview may help to know which rules are active, on which mode and who can bypass it.
ConstraintTemplate and Constraint can be used in Open Policy Agent (OPA) Gatekeeper to enforce rules on Kubernetes resources.
A Graphic User Interface may also be available to access the OPA rules with Gatekeeper Policy Manager. It is "a simple read-only web UI for viewing OPA Gatekeeper policies' status in a Kubernetes Cluster."
Search for the exposed service :
As illustrated in the image above, certain rules may not be applied universally across all namespaces or users. Instead, they operate on a whitelist basis. For instance, the liveness-probe
constraint is excluded from applying to the five specified namespaces.
With a comprehensive overview of the Gatekeeper configuration, it's possible to identify potential misconfigurations that could be exploited to gain privileges. Look for whitelisted or excluded namespaces where the rule doesn't apply, and then carry out your attack there.
Abusing Roles/ClusterRoles in KubernetesAnother way to bypass constraints is to focus on the ValidatingWebhookConfiguration resource :
Kubernetes ValidatingWebhookConfiguration